Slash0X99

**Name of the Vulnerable Software and Affected Versions** GFI KerioConnect version 10.0.6 **Description** A vulnerability was found in the Signature Handler component of GFI KerioConnect, affecting the processing of the file Settings/Email/Signature/EditHtmlSource. This issue leads to cross-site scripting and can be initiated remotely. The exploit has been disclosed to the public. **Recommendations** For GFI KerioConnect version 10.0.6, as a temporary workaround, consider restricting access to the Signature Handler component, specifically the EditHtmlSource function, until a patch is available. Avoid using the `EditHtmlSource` function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GFI KerioConnect version 10.0.6 **Description** A vulnerability was found in the PDF File Handler component, which can lead to cross-site scripting. The attack can be launched remotely. The issue affects an unknown functionality of this component. **Recommendations** For GFI KerioConnect version 10.0.6, as a temporary workaround, consider disabling the PDF File Handler component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions up to 8.1.3 **Description** A critical issue has been found in Roxy-WI, affecting the `action service` function of the file `app/modules/roxywi/roxy.py`. The manipulation of the `action/service` argument leads to os command injection. This issue can be exploited remotely. The exploit has been publicly disclosed and may be used. **Recommendations** For Roxy-WI versions up to 8.1.3, upgrade to version 8.1.4 to address this issue. As a temporary workaround, consider restricting access to the `action service` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** eNMS versions up to 4.2 **Description** A critical issue has been found in the function `multiselect filtering` of the file eNMS/controller.py of the component TGZ File Handler. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** Apply a patch to fix this issue, specifically the patch identified as 22b0b443acca740fc83b5544165c1f53eff3f529. As a temporary workaround, consider disabling the `multiselect filtering` function until a patch is available. Restrict access to the TGZ File Handler component to minimize the risk of exploitation.